nodes/proxy GET → Kubelet /exec RCE via WebSocket handshake ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://grahamhelton.com/blog/nodes-proxy-rce
• Blog Title: nodes/proxy GET → Kubelet /exec RCE via WebSocket handshake authorization (Kubernetes RBAC bypass)
• Suggested Section: Kubernetes Pentesting -> Kubernetes Role-Based Access Control (RBAC) -> Abusing Roles/ClusterRoles in Kubernetes (add a subsection like "nodes/proxy GET -> Kubelet /exec via WebSocket verb confusion"), and cross-link from "Pentesting Kubernetes Services" (Kubelet) if present

🎯 Content Summary

Post summary (Published: 2026-01-26)
The post describes a Kubernetes RBAC authorization bypass where a service account that appears “read-only” because it only has nodes/proxy with verb get can still achieve command execution inside arbitrary Pods by connecting directly to the node’s Kubelet API (TCP 10250) and using WebSockets for the Kubelet /exec endpoint. Tested on Kubernetes v1.34 and v1.35. The re...

🔧 Technical Details

Trick 1 — Exploit protocol-driven RBAC verb mapping (WebSocket GET handshake): If an authorization layer derives RBAC verbs from the initial HTTP method, then protocols that begin with a mandatory HTTP GET handshake (WebSockets, and similarly SPDY) can downgrade an operation’s required verb. For kubelet /exec, the interactive stream is established via a WebSocket handshake (GET + Connection: Upgrade), so the kubelet maps the request to RBAC verb get instead of the semantically correct create. If there is no second authz check after upgrade, the attacker can perform write-like actions (command execution) with only read-like verbs.

Trick 2 — Abuse overbroad/default subresource mapping to nodes/proxy: When an API path-to-subresource mapper does not explicitly enumerate sensitive endpoints (/exec, /run, /attach, /...

🤖 Agent Actions

Updated HackTricks with the kubelet nodes/proxy WebSocket verb-confusion abuse:

• Expanded abusing-roles-clusterroles-in-kubernetes/README.md with a detailed subsection on exploiting nodes/proxy GET to reach kubelet /exec over WebSockets, including the verb/subresource mapping flaw, direct exploitation via websocat, audit evasion notes, and detection/mitigation pointers. Added references to the research blog, detection script, and tooling.
• Added a note in kubelet-authentication-and-authorization.md highlighting the WebSocket GET authorization gap for exec-like endpoints and linked to the detailed abuse section. Updated references to include the new research.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://grahamhelton.com/blog/nodes-proxy-rce

Content Categories: Based on the analysis, this content was categorized under "Kubernetes Pentesting -> Kubernetes Role-Based Access Control (RBAC) -> Abusing Roles/ClusterRoles in Kubernetes (add a subsection like "nodes/proxy GET -> Kubelet /exec via WebSocket verb confusion"), and cross-link from "Pentesting Kubernetes Services" (Kubelet) if present".

Repository Maintenance:

• MD Files Formatting: 574 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0